I have been a part of several discussion, posted articles, and responded to articles that talk about whom the CISO should report to.
First; let me state, the CISO should NOT report to the CIO. The CISO should report to the CEO/Board. The whys are another discussion and posted all over the Internet. This discussion is about something else.
Here is where I blow your collective minds; my proposed redo of the C-Suite as it pertains to security and IT. These all should independently report to the CEO/board, but be the best of friends.
CPO – Chief Privacy Officer – does what this officer already oversees, the privacy policies of the organization – most likely a lawyer
CDO – Chief Data Officer – oversees data, data usage, data analytics, and designates the classification of data
CTO – Chief Technology Officer – Is the IT officer, oversees the technology, network, infrastructure, data center, etc.
CAO – Chief Application Officer – oversees application development
CCO – Chief Compliance Officer – ensures C-suite adheres to regulations, laws, rules, and is also over the IS and IT audits, and Audit Director
CISO – Chief Information Security Officer, or we could use the CSO – Chief Security Officer, or even CCSO – Chief Cyber Security Officer – This leader oversees the security program, governance, operations, the whole Detect, Protect, Identify, Respond, and Recover process – Keep in mind the Security program enables and contributes to the success of all the other C-suites listed above. Without the security program the others are futile.
Look forward to your thoughts, comments, and additions